[#CONF-6505] Comment index entries do not inherit permissions correctly

Confluence

Comment index entries do not inherit permissions correctly

Created: 05/Jul/06 12:14 AM Updated: 25/Jul/07 01:59 AM

Component/s:

Comments, Permissions, RSS / Atom feeds, Searching / Indexing

Affects Version/s:

2.2.1, 2.2.5, 2.2.9

Fix Version/s:

2.4.3

Time Tracking:

Not Specified

Issue Links:

Duplicate

This issue is duplicated by:

~~CONF-7911~~ Comment appears on recently updated even though it was page permission restricted

~~CONF-9002~~ Security: Comments visible on dashboard: recent changes while page view is closed for users

Participants:	Charles Miller [old account, do not assign issues], Christopher Owen [Atlassian] and Matthew Jensen [Atlassian]
Since last comment:	1 year, 35 weeks, 3 days ago
Resolution Date:	19/Mar/07 07:35 PM
Labels:

Description

« Hide

Comments attached to pages that inherit restrictions from parent pages seem to ignore the inherited permissions in the Confluence index.

Steps to reproduce:

1) Enable anonymous Confluence access
2) Create a space with anonymous access
3) Add a page and restrict view to confluence-users
4) Add a subpage
5) Add a comment to this subpage

The comment will appear in the dashboard recently updated list even for anonymous users. Trying to access it however will result in a credentials check.

The comment will also appear in any public RSS feed which only has "comment" in its type list. Curiously they won't appear if the feed is configured to filter other content types such as pages.

Adding a comment directly to the parent page which has the restriction set does not trigger this behaviour.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Charles Miller [old account, do not assign issues] added a comment - 18/Jul/06 03:03 AM

I couldn't reproduce this, the above steps work fine for me. Need a working test case.

[ Permlink | « Hide ]

Christopher Owen [Atlassian] added a comment - 10/Oct/06 12:33 AM

This behaviour would seem to depend on the timing of index queue flushing. If the comment is added to the queue with the initial page creation index job the comment inherits the correct permissions. But comments added to the index queue once the initial page creation index event has been flushed though do not properly inherit permissions.

[ Permlink | « Hide ]

Matthew Jensen [Atlassian] added a comment - 15/Mar/07 11:19 PM

This issue does indeed have to do with the timing of the index queue flushing.

To reproduce properly you will need to install the 'Job Manager Plugin' and disable the 'IndexQueueFlusher' Job (or wait for the job to run before adding the comment).
http://confluence.atlassian.com/display/CONFEXT/Job+Manager+Plugin

Steps to reproduce:
1) Enable anonymous Confluence access
2) Create a space with anonymous access
3) Add a page and restrict view to confluence-users
4) Add a subpage
4b) Run the IndexQueueFlusher
5) Add a comment to this subpage
5b) Run the IndexQueueFlusher

[ Permlink | « Hide ]

Matthew Jensen [Atlassian] added a comment - 19/Mar/07 07:35 PM

Committed to 2.4 branch and trunk.

[ Permlink | « Hide ]

Matthew Jensen [Atlassian] added a comment - 19/Mar/07 07:38 PM

The cause of this issue was because:

Comment.getPage was returning an AbstractPage type
Comments can be attached to BlogPosts or Pages
AbstractPage was configured by hibernate to be cglib proxied

The permission check tested for the getPage result to see if it implemented hierarchical. But since it was a proxy, it didn't (and the instanceof check didn't de-proxy it).

This issue did not come up if the page was indexed in the same flush because it was loaded by hibernate (and deproxied correctly) before this check was made.

Removed the configuration to proxy (and lazy load) the comment->page reference.